Sneaky software allows the hardware interlock to be turned off.

A common pastime among the residents of the Internet's seedy underbelly is spying on people through their webcams then using the pictures to harass and blackmail the victims. This kind of hacking went mainstream when Miss Teen USA Cassidy Wolf was named as a victim of a blackmail attempt.

Further Reading

The Remote Administration Tool is the revolver of the Internet's Wild West.

In addition to standard computer security advice given to combat this behavior—keep your computer patched, don't install malware, and so on—it's commonly suggested that you only use webcams where the activity LED is hardwired to light up whenever the camera is active. Among others, Apple's line of laptops has been identified as having such hardwired LEDs. However, researchers at Johns Hopkins University have published a paper, first reported on by the Washington Post, demonstrating that even this isn't good enough. Some hardwired LEDs turn out to be, well, software controlled after all.

As with just about every other piece of modern hardware, the webcams in the computers that the researchers looked at—an iMac G5 and 2008-vintage MacBooks, MacBook Pros, and Intel iMacs—are smart devices with their own integrated processors, running their own software. The webcams have three main components: the actual digital imaging sensor, a USB interface chip with both an integrated Intel 8051-compatible microcontroller and some RAM, as well as a little bit of EEPROM memory.

One line joins the USB chip to an input on the imaging sensor called standby. When the line is held high by the interface chip, the sensor is put into standby mode and stops producing data. When it's held low, the sensor is taken out of standby mode and starts producing data. The same line is also wired to the negative side of an LED. Accordingly, when the line is high (and the imaging chip off), the LED is off. When the line is low, the LED is turned on.

This diagram shows how one of the I/O pins of the controller is connected to both the standby pin of the imaging sensor and the indicator LED.

In principle, then, this should serve as a hardware interlock. The LED is clearly hardwired, and its state should directly reflect whether the imaging chip is in standby or not. Unfortunately, the whole system is controlled by a layer of software.

When the driver for the webcam is loaded, the host PC uploads a small program to the USB controller (it has no permanent firmware storage of its own, so it has to be uploaded each time the camera driver is loaded). This small program in turn configures the imaging chip. The imaging chip doesn't have too many configurable properties, but one thing that it does have is whether it pays any attention to the standby input.

Apple's own drivers set a configuration where standby is respected. But other configurations are possible—such as one where the chip ignores standby entirely and always produces image data.

With this knowledge in hand, the researchers wrote a new piece of software to upload to the webcam. This piece of software was much like the normal webcam software but with two differences: first, it told the imaging sensor to ignore the standby input. Second, it ensured that the standby line was always held high to prevent the LED from illuminating.

The result: a webcam with a hardwired indicator LED that nonetheless allowed image capture without lighting the indicator LED.

Not all cameras promise to have hardwired indicator lights in the first place. Many Logitech cameras, for example, have a software-controlled LED. Software is available for these cameras that lets them be used as motion-activated security cameras—always on, recording anything "interesting" that they see—and for this niche scenario, being able to disable the indicator makes some sense.

Whether this design makes sense for most users, given the apparent abundance of surreptitious webcam-based spying, is less clear.

The researchers did not test modern Apple computers or other, non-Apple webcams. Secure designs for the indicator LED are possible, and different imaging sensor/USB controller pairings might prove to be more robust. Nonetheless, one thing is clear: if your hardware interlock is software mediated, it's not a hardware interlock any more. When it comes to protecting against webcam spying, you should ignore the technology and simply tape over the camera.

One has to admit, it's a very creative attack against a "hardwired" config. I assume that whenever the PC is on and awake, the sensor is powered, so there's really no easy way to truly hard-wire the LED. Ideally, the LED would be tied to the power leg of the sensor, but if the sensor is always "on", but in a standy mode... not too many options.

Need to bring back physical sliding shutters, like many pocket cameras.

In theory yes, but in practice it doesn't work, at least for portable cameras.

In order to put a physical shutter over the camera, you have to make the lens about 2mm smaller. Doing that will dramatically reduce the quality of the camera lens. We cannot currently make a camera lens that small without having terrible image quality.

A bit of electrical tape is the only good solution right now. Better to have tape over the camera than a laptop thick enough to have a good sized lens *and* a shutter over it.

When I go to a friends house (like thanksgiving etc) and use his desktop, I put a tent of paper over his webcam. He has a logitech one with no light. Sometimes I forget to take it off when I'm done and he gets snippy (he's a bit OCD, same with maximised windows, probably why CBS pays him the big bucks)

When I've talked about this stuff, he's dismissed it as crazy talk, but I knew I was sane.

Interesting to see that there is a sort of hardware interlock. I wonder if a more thorough and elegant solution would be to wire the PD3 output to not only the standby wire, but also through a power transistor controlling the V+ for both the sensor and the LED. This way, if the sensor ignores the standby the wire, it won't have power either - same for the LED. Of course, this would keep shutting the sensor down entirely every time it wasn't in use and I'm not sure if there'd be reboot issues with that.

I think the hardware shutter is a terrible idea - people will likely not actively use it and it would ruin aesthetics.

EDIT: sporkme directionally covered this when I was writing my comment.

IPads don't have the light because it's either looking right at your face, or the ceiling. Neither view is good for abusing your webcam.

A shutter is a great idea, my old Samsung Galaxy had one over the charging USB port, was very slimline and worked very well without causing any fuss over the thin phone body. Something similar would be good for a laptop webcam too.

A shutter is a great idea, my old Samsung Galaxy had one over the charging USB port, was very slimline and worked very well without causing any fuss over the thin phone body. Something similar would be good for a laptop webcam too.

Yeah, but USB sticks out the side or bottom of the device, where there is plenty of room to play with. Cameras usually take up 100% of the device's thickness, if not make the device thicker where the camera is.

What's annoying is that my iMac uses the camera to set the screen brightness, which suggests it's on all the time. Since I like the auto-dimming, putting a piece of tape over it (which I've done on every webcam I've owned) is not ideal.

Instead, I use a piece of bent card, taped to the screen at the bottom. Basically the camera sees the light reflected off the ceiling and I retain my privacy....

It's worth noting that the authors explored a second class of nasty little attacks:

Because the 8051 can be reflashed (from userspace, no root or kernel level privilege required) and is always on the USB bus, it can be turned into a malicious USB HID device in order to generate 'physical' keystrokes under software control.

Thank you Ars for reporting on this subject. My partner is less interested in tech issues than me, and for a while it was hard to make a convincing argument that is a thing now ... but showing her articles like this one has convinced her that it's an actual threat and not just my latest conspiracy theory! Now her laptop is more secure, and I can sleep safer knowing that someone I love is much less likely to be spied on by creeps.